Nearly 4,000 Ring Credentials Leaked, Including Users' Time Zones And Device Names

from the Ring-PR-team-looking-to-expand:-masochism/sociopathy-a-plus! dept

The eternal flame that is Ring's dumpster fire of an existence continues to burn. In the past few months, the market leader in home surveillance products has partnered with over 600 law enforcement agencies to:

The latest bad news for Ring -- via Caroline Haskins of BuzzFeed -- is another PR black eye inflicted on a company whose face that still hasn't healed from the last half-dozen black eyes.

The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”

The compromised data plays right into the hands of the assholes who hang out in certain online forums solely for the purpose of hijacking people's Ring devices to hassle individuals who thought their homes would be more secure with the addition of an internet-connected camera.

Ring says this leak of personal data isn't its fault. The company claims there's been no breach. Maybe so, but the information is out there and presumably being exploited.

And it's kind of hard to take Ring's word for it. The company has been doing nothing but putting out PR fires ever since its law enforcement partnerships came to light earlier this year. And its explanation for where the sensitive data came from makes very little sense.

“Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”

Ring's spokesperson did not specify which other "companies" it suspected of carelessly handling device names given to Ring devices by Ring users. The spokesperson also failed to explain why Ring took no interest in this sensitive Ring user info until after the security researcher who discovered the compromised credentials discussed his findings on Reddit. "Unable to assist" is not a proper response to notification of a possible breach, but that's exactly what Ring reps told the researcher when he first informed them of what he had found.

Ring may have been quick to blame users for the commandeering of their cameras by a forum full of shitbirds, but the company does almost nothing to ensure users are protected from malicious activity. The only thing Ring does is recommend users utilize two-factor authentication and "strong passwords" (whatever that means). It does not alert users of attempted logins from unknown IP addresses or inform users how many users are logged in at any given time. Ring is doing less than the minimum to protect users but still seems to feel device hijackings are solely the fault of end users.

This is a garbage company. There's no way around it. Ring has prioritized market growth and law enforcement partnerships over the millions of citizens/customers who own its products. Rather than provide a secure product that makes people safer, it's selling a domestic surveillance product that comes with law enforcement strings attached. It has shown it will bend over backwards for the government but is only willing to deliver the most hollow of "we care about our customers" statements in response to news cycle after news cycle showing it absolutely gives zero fucks about its end users.

Filed Under: credentials, data breach, doorbells, leaks, ring, security
Companies: amazon, ring


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That One Guy (profile), 23 Dec 2019 @ 1:42pm

    Like fighting a fire by tossing on a few logs

    “It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”

    Given said data apparently includes 'log-in emails, passwords, time zones, and the names people give to specific Ring cameras', that excuse just raises a huge freakin question: Exactly why would another company have that data?

    If the unnamed company in question got the data without Ring's permission and/or knowledge that would absolutely be a data breach worth mentioning, so the only other explanation is that Ring gave that data to another company, which again raises the questions of 'why?' and 'did they inform users that they would be handing that data to third-parties, and if so what explanation(if any) did they give for handing over everything needed to compromise the cameras they were encouraging people to install in their houses?'

    reply to this | link to this | view in thread ]

  2. identicon
    DocGerbil100, 23 Dec 2019 @ 3:35pm

    Re: Like fighting a fire by tossing on a few logs

    I don't want to be interpreted as having anything good to say about the flying hairy big brother clusterfuck that is Ring, much less be seen to defend them, but, honestly, their reply seems to me to be more like a "nothing to do with us, guv" generic PR disclaimer, than an indicator of anything resembling a particularised suspicion of a third party.

    Also, the thought occurs that, if this data has been leaked by a third party, it might well be by local police departments, or their third parties, rather than by anyone directly associated with Ring itself. Given that Ring clearly sees local police as their main customer base, rather than the cameras' actual end users, this probably would explain why Ring doesn't want to get involved in any investigations, or say anything useful that might help.

    reply to this | link to this | view in thread ]

  3. icon
    Anonymous Monkey (profile), 23 Dec 2019 @ 3:39pm

    Whelp...

    reply to this | link to this | view in thread ]

  4. icon
    That One Guy (profile), 23 Dec 2019 @ 4:14pm

    Re: Re: Like fighting a fire by tossing on a few logs

    their reply seems to me to be more like a "nothing to do with us, guv" generic PR disclaimer, than an indicator of anything resembling a particularised suspicion of a third party.

    While I'm sure they would like that to be the case, it simply doesn't fly. There are thousands of people using their product who just had a whole lot of sensitive information made public, like it or not it is their problem, even if only to the extent of finding the source of the leak(and ideally informing the owners of the cameras so they know who had that information other than Ring) and doing what they can to prevent it from happening again.

    Also, the thought occurs that, if this data has been leaked by a third party, it might well be by local police departments, or their third parties, rather than by anyone directly associated with Ring itself. Given that Ring clearly sees local police as their main customer base, rather than the cameras' actual end users, this probably would explain why Ring doesn't want to get involved in any investigations, or say anything useful that might help.

    I rather suspect you've found the likely culprit there, and if anything that just makes it more important that they not be let off the hook and allowed to get away with a vague 'someone else is responsible' excuse, as if Ring is going to be using the various police departments as their sales force then I'd say it's rather important for the public they are trying to 'sell' to to know beforehand that said police might very well have full log-in credentials to the cameras they are persuading people to install in their houses, so that they can make an informed decision about said cameras.

    reply to this | link to this | view in thread ]

  5. icon
    tom a sparks (profile), 23 Dec 2019 @ 4:35pm

    ring of fire by johnny cash

    Why do I keep hearing the Ring of Fire by Johnny Cash?

    all together now:

    robo-copyright activated

    reply to this | link to this | view in thread ]

  6. icon
    Norahc (profile), 23 Dec 2019 @ 4:52pm

    Hard to have a data breach of your network when you treat user privacy as a sellable commodity or a donut supply for cops.

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 23 Dec 2019 @ 4:55pm

    Why on earth would anyone have password stored anywhere?

    Every half competent authentication software only stores salted and hashed password.

    Unless maybe ring is suggesting that nearly 4000 people 'shared' (possibly unintentionally) their passwords with malicious software/sites/people. (which seems... doubtful to me)

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 23 Dec 2019 @ 5:10pm

    "Security team"

    "Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “

    The security team is not particularly skilled perhaps? Would be interesting to see the teams credentials...

    reply to this | link to this | view in thread ]

  9. identicon
    Bobvious, 23 Dec 2019 @ 6:15pm

    citizens/customers who own its products

    own its products

    You sure about that?

    reply to this | link to this | view in thread ]

  10. identicon
    Bobvious, 23 Dec 2019 @ 6:39pm

    Re: ring of fire ♨ by johnny ¢a$h

    Eiffel inn two a bern inn ringo phyre ♨
    Eye weren't doun, doun, doun
    Anderr Flaims when tyre
    Ann deet byrns, burnes, bernes
    The ringo phyre ♨
    The ringo feier♨

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, 23 Dec 2019 @ 10:24pm

    whomp whomp whomp

    They bought a device that sold out their privacy and now they want their privacy back?

    Whomp Whomp Whomp

    reply to this | link to this | view in thread ]

  12. identicon
    Anonymous Coward, 23 Dec 2019 @ 10:51pm

    Re: Re: ring of fire ♨ by johnny ¢a$h

    O Tay!

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, 24 Dec 2019 @ 6:20am

    What's next for ring ... possibly a password manager?

    reply to this | link to this | view in thread ]

  14. icon
    Ed (profile), 24 Dec 2019 @ 7:10am

    Certain people/groups have a hardon against Ring ever since the company partnered with law enforcement. For the most part, all of the supposed issues now being hysterically broadcast simply are because of ignorant users not securing the devices properly. I suppose Ring should force 2FA from now on, or perhaps put a huge banner on the setup screen to caution against reusing a password from another site. No matter how secure they make their system, the weak-link is always going to be the users, which is what is being proven over and over again. But, yeah, go blame Ring instead, get your ad-clicks and page hits for shitty click-bait articles.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 24 Dec 2019 @ 7:52am

    Remember folks, the "S" in "IoT" stands for "Security."

    reply to this | link to this | view in thread ]

  16. identicon
    Canuck, 24 Dec 2019 @ 8:53am

    Force 2FA?

    When it's cameras on and in your house, yes, maybe they should.

    P.S. You're a dick.

    reply to this | link to this | view in thread ]

  17. identicon
    Dan, 24 Dec 2019 @ 9:46am

    Re:

    For the most part, all of the supposed issues now being hysterically broadcast simply are because of ignorant users not securing the devices properly.

    So what user error, specifically, resulted in the credentials and device names of nearly 4000 Ring devices being exposed?

    reply to this | link to this | view in thread ]

  18. icon
    That One Guy (profile), 24 Dec 2019 @ 10:15am

    Re:

    The magic code strikes again!

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, 24 Dec 2019 @ 10:20am

    Re:

    all of the supposed issues now being hysterically broadcast simply are because of ignorant users not securing the devices properly
    You state this as though you had supporting data.

    Ring should force 2FA
    news item talks about hacks bypassing this
    https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/

    Perhaps you have a vested interest in Ring? Maybe you're that person in those ads ... lol

    reply to this | link to this | view in thread ]

  20. identicon
    Another Ring User, 24 Dec 2019 @ 11:06am

    Re:

    Agree with Ed. While I see all these hysterical posts none of them provide any additional details about why they come to the conclusion that Ring was at fault. RIng has repeatedly pointed out that the reported incidents were investigated and were found to be caused due to use of same passwords as other accounts that were indeed breached. It is not that hard to take emails and passwords that have been collected from other breached sites and tested against Ring to compile a list of "hacked" Ring accounts. Did any of the journalists bother to check what really happened or did they prefer to just be happy with the clicks from their sensational reporting?

    reply to this | link to this | view in thread ]

  21. identicon
    Another Ring User, 24 Dec 2019 @ 11:09am

    Re: Re:

    Forgot to add... yes I work for Ring... No wait, I actually own the company. Now go ahead and take your cheap shots rather than ask the tough questions on what really happened.

    reply to this | link to this | view in thread ]

  22. identicon
    Anonymous Coward, 24 Dec 2019 @ 11:55am

    Re: Re:

    The hysteria (bad word choice btw) is most likely due to the recent news items about ring intrusions. Their analysis, ignoring the bias, states these instances were due to bad password management - ok.

    There are security related reports that point out several security related shortcomings of the device that are unrelated to user password management. These reports did not seem "hysterical" to me, but I suppose it is subjective.

    idk what "any of the journalists" did to fact check their piece, do most of them share such info with their readers?

    It did seem a bit sensational, as in wtf, when I saw the story on the tv where some ass was harassing a child in their own room. But the talking heads should tone it down a notch? Is that what you are suggesting?

    Not everyone is a l33t haxor like yourself.

    reply to this | link to this | view in thread ]

  23. identicon
    bobob, 24 Dec 2019 @ 5:43pm

    I don't blame users for not securing their ring doorbell. I blame them for being stupid enough to ever consider installing one. Just because something is possible, doesn't mean it's a smart thing to do.

    reply to this | link to this | view in thread ]

  24. icon
    WarioBarker (profile), 24 Dec 2019 @ 6:12pm

    Hmm...

    "Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring's systems or network," the spokesperson said.

    So it was an authorized intrusion/compromise, then?

    reply to this | link to this | view in thread ]

  25. identicon
    Rekrul, 25 Dec 2019 @ 1:46am

    The compromised data plays right into the hands of the assholes who hang out in certain online forums solely for the purpose of hijacking people's Ring devices to hassle individuals who thought their homes would be more secure with the addition of an internet-connected camera.

    I'm surprised that none of these hackers have taken a more subtle approach and just played spooky sound effects at night to make the owners think their homes are haunted.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.